From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Jf3aJ-0005pQ-3m
	for qemu-devel@nongnu.org; Thu, 27 Mar 2008 21:40:47 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1Jf3aH-0005ot-HR
	for qemu-devel@nongnu.org; Thu, 27 Mar 2008 21:40:46 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Jf3aH-0005oo-5p
	for qemu-devel@nongnu.org; Thu, 27 Mar 2008 21:40:45 -0400
Received: from mx20.gnu.org ([199.232.41.8])
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <wentzlaf@cag.csail.mit.edu>)
	id 1Jf3aG-000178-Sp
	for qemu-devel@nongnu.org; Thu, 27 Mar 2008 21:40:45 -0400
Received: from outgoing.csail.mit.edu ([128.30.2.149])
	by mx20.gnu.org with esmtp (Exim 4.60)
	(envelope-from <wentzlaf@cag.csail.mit.edu>) id 1Jf3aA-0004IM-Kp
	for qemu-devel@nongnu.org; Thu, 27 Mar 2008 21:40:41 -0400
Date: Thu, 27 Mar 2008 21:39:50 -0400 (EDT)
From: David Wentzlaff <wentzlaf@cag.csail.mit.edu>
Message-ID: <Pine.LNX.4.64.0803272125380.29308@uncle-of-god.csail.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Sender: David Wentzlaff <wentzlaf@csail.mit.edu>
Subject: [Qemu-devel] [PATCH] SMP BIOS race condition bug
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: bochs-developers@lists.sourceforge.net
Cc: qemu-devel@nongnu.org

This patch fixes a race condition in the Bochs rombios.  Under normal MP 
processor enumeration, the boot processor sends an 
inter-processor-interrupt (IPI) to the non-boot processors vectoring them 
to "smp_ap_boot_code_start".  The code at smp_ap_boot_code_start then 
increments CPU_COUNT_ADDR.  The current code base increments with an incw 
instruction, unfortunately incw is not atomic and multiple processors can 
read, then modify, then write back the result at the same time resulting 
in fewer processors being counted than are actually in the system.  I have 
seen this happen in high processor (>=16) count QEMU emulations.  I have 
experienced anywhere from {n, n-1, n-2} processors detected by the BIOS. 
The fix is to simply lock the incw with the x86 'lock' prefix.  Attached 
is the patch.  I have CCed qemu-devel as it that project as well as bochs.

Sincerely,
David Wentzlaff

Index: rombios32start.S
===================================================================
RCS file: /cvsroot/bochs/bochs/bios/rombios32start.S,v
retrieving revision 1.4
diff -d -u -r1.4 rombios32start.S
--- rombios32start.S    26 Jan 2008 09:15:27 -0000      1.4
+++ rombios32start.S    28 Mar 2008 01:29:49 -0000
@@ -42,7 +42,7 @@
  smp_ap_boot_code_start:
    xor %ax, %ax
    mov %ax, %ds
-  incw CPU_COUNT_ADDR
+  lock incw CPU_COUNT_ADDR
  1:
    hlt
    jmp 1b